Arbitrary Shortcode Execution in GamiPress Plugin for WordPress
CVE-2024-13499
7.3HIGH
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 22 January 2025
Summary
The GamiPress plugin, used for gamifying WordPress sites by rewarding users with points, achievements, badges, and ranks, has a critical vulnerability that allows for arbitrary shortcode execution. This issue arises from the gamipress_do_shortcode() function, which fails to adequately validate input. As a result, unauthenticated attackers can exploit this vulnerability to execute arbitrary shortcodes, potentially leading to unauthorized actions on affected WordPress sites. All versions of GamiPress up to and including 7.2.1 are impacted, necessitating immediate attention and remediation from site administrators.
Affected Version(s)
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress * <= 7.2.1
References
CVSS V3.1
Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Credit
abrahack